I can't even imagine what happened here. I do quite a bit of coding on front panels like this for my job engineering industrial controls. Even without the need for security, I wouldn't allow a front panel to make decisions. It has only two jobs, to accurately display what it is asked to and to report in a timely manor what keys have been pressed. Doing more than that is not only unnecessary, but it reduces the ability to easily re-use it as a drop in module in other products, and it makes the architecture of the system more confusing. Clearly somebody had other ideas here, but I can't see why.
That is a vulnerability in the front panel. The front panel is deciding based on the reply from the 'enter factory code' command that it is ok to send the 'reset user code' command. The front panel should not be making decisions like that. The front panel should not be sending commands at all.
I think you are misunderstanding what old mate is saying.
The vuln is in the back of the panel because it's accepting the reset code command.
The front panel isn't vulnerable because it's not a trusted component here anyway, the bypass actually just talks directly to the back panel.
You are however correct that the front panel probably shouldn't be sending an actual reset code command, but that is really a protocol level problem not specifically a front panel issue. It's possible to make that safe by having the back panel first transition into appropriate state upon being primed with existing code or valid factory code before accepting the reset command but an even better fix is to couple both the validation of the existing code + the desired new code into a single command that is validated in one shot.
It's a vulnerability in the inside panel that was covered up by requiring the front panel to do more than it should. If the front panel were just a dumb I/O device, the inside panel could not have this specific vulnerability.
No, you're misunderstanding. The front panel is validating that the factory code is entered correctly before it allows the lock code to be reset. If the front panel were just dumb I/O, the inside panel would have to validate the factory code before allowing the lock code to be reset.
This boggles my mind for a different reason. I can't understand why would they design the lock to be so shitty. They're saving probably a miniscule amount of money required to upgrade the lock's design to "barely decent" in exchange risking lawsuits and reputational damage. I really don't get it. The amount they save cannot possibly justify the product being such a clusterfuck.
I am shocked... absolutely shocked, I say, that Master Lock released a security product to the market that is so badly engineered it is trivial to open.
Finding vulnerabilities in low security locks is just an academic exercise.
If you need high security, you are buying a product very different than a master lock, and you need to consider the integrity of the entire system it is connected to.
Low security locks work mainly by deterrent, and even if they were without vulnerability, the container you’re attaching it to probably is vulnerable. Brute force attacks are the much more common scenario against low security locks, and there’s not much of a low cost solution to that; it requires expensive materials: https://youtu.be/2guvwQvElA8
If you put an unpickable lock on sheet metal box, you’re spending more money, but not actually improving security.
The reason that master locks are popular is because they are fairly reliable, easy to get keys for, have useful feature sets, etc. These are the features that commercial users often care about the most. They don’t want to spend more money to get an unpickable lock that interrupts their daily business when it inevitably gets dirty, keys are lost, etc. especially if it provides no additional resistance against an angle grinder.
>Judging by the fact that master lock is still widely sold, it’s not common knowledge how crap they are.
I think you misunderstand the threat model and/or use case. Most of the time I don't think anyone expects locks to do anything except keep honest people honest and dissuade the lowest level of opportunistic attacks.
A sledge hammer is cheap. It can open just about any door. The difference between a cheap door and hardware and a high end security door might be ~5 minutes of hammer time. (Nothing can stop hammer time). Nothing will stop someone with time and tools.
But if that threat model were a concern, we'd see a lot more bars on ground-level windows and the like. No one cares. Because 99.99% of the time, it's not going to be a problem.
Now, there are definitely use cases out there where it makes a big difference and people want the security. But MOST of the time, people aren't trying to stop or slow down someone with bolt cutters, a bump key, or shim.
A sledge hammer is not subtle. Someone breaking a door with a sledgehammer is very obviously breaking a door. It’s also very obvious in the aftermath that the door has been opened.
The people who don't know don't care usually, or they'd be buying a lock that costs more than $5-20. Either because it's protecting something of low value, or they don't know how to quantify when something needs more value, or because it doesn't matter.
For instance, if you have a shed with windows and a hasp on it, that it has a $10 master lock on it is the least of your security problems.
If you're storing $100m in gold bars in said shed, putting the $10 master lock on it is also probably the least negligent thing you're probably doing.
The more hassle involved with breaking the lock the harder it is to be steal, that makes sense. Don't forget about security by obscurity, though. Let's say a criminal with a bolt cutter finds their way to an unattended gym locker room and they can only have time to snip one or two locks. The majority of the lockers have generic Master Locks, a few have some exotic "ultra-secure" locks on them. Do they randomly snip a locker with a generic Master Lock, or do they pick the bright-orange-ultra-secure-lock-probably-hiding-a-tablet-and-laptop locker?
Wouldn't that be a bad example? That they could still snip the better locks seems like they're not really better. In general, you would want a lock that they would need a special tool that they didn't bring. For example, maybe the thief could have cut(saw) the higher end locks, but they only brought bolt cutters because they're faster and work on 90% of the locks.
Many better locks from a picking perspective are only mildly better from a physical security perspective.
If someone has brought tools (portable angle grinder, hydraulic bolt cutters, or a prybar) sufficient to take out most locks, they'll take out most locks unless you upgrade A LOT. At which point they can usually use the same tools to defeat the hasp, and you're still compromised.
Not necessarily. The attack has to be expensive enough (in time, noise, ....) To be discouraging for making the attacker go elsewhere or not attacking at all.
They're "purple belt" rank for the reddit /r/lockpicking belt ranking system[1]. That rank's description is "You are now picking locks that are categorically hi-sec. They have two or more discrete locking mechanisms and are considered unpickable by nearly every locksmith on the planet. You are helping new pickers frequently and sharing challenge locks."
The SmartKey locks have two major flaws: a tiny endoscope camera can view the positions of the sliders and allow visual decoding of the correct position of each one independently (very specialized expensive equipment, about $350[2]), and it's possible to stick a shim in between the cylinder and body of some of the locks to tension the sidebar directly. Without a way to tension the sidebar it's extremely difficult to get any feedback.
Does an electronic lock of the kind where the keypad is on the insecure side of the door generally contain or not contain the mechanism to open that door? How is that mechanism normally secured?
Edit: I mean here it looks like that ripping off the front-panel and powering the solenoid will get you into the safe.
A lot of name brand electronic locks can be bypassed with a tool like the Spike Master that lets you manually drive the solenoid, so even from brands that should know better there are issues.
Sadly this is an issue of market demand rather than poor engineering. Good security costs more and this is priced into the safe/lock ecosystem - if you want real security buy a commercial safe with a Group 1 lock. Sadly though this leaves consumers at risk who don't understand this. They buy a safe from a brand they recognize and they think they are in good shape. Meanwhile I get shunned on forums by actual safe techs by encouraging muggles to do their own research and buy higher quality commercial safes 2nd hand for less money.
Encryption alone doesn't prevent replay attacks, you need something more advanced; for example controller generates a nonce, reader hashes secret + nonce, controller compares to expected value.
An attacker who can intercept and replay the comms between the keypad and the controller, can probably also intercept and replay the signals from the physical buttons into the keypad's microchip. Or perhaps more likely, point a hidden camera at the keypad.
I was thinking the same thing. Encryption still wouldn't prevent the replay attack, just the ability to determine the card's number and flash it onto a new card.
the article mentions two boards, an inside controller that activates the solenoid and a keypad - which communicate using rs232. which seems right, they just neglected to require you to enter the factory code before setting a new combination.
I would really hope that people who make security tools would have the best-of-breed electronic engineers but clearly not. The crack was pretty rudimentary and would take an experienced electronics test technician about an hour by the looks of it.
"No response". Understandable when you don't have any way to easily put it right, although I suppose they could have at least asked OP to keep it a secret until they could rectify it.
These are really just fire safes. They’re made to protect important documents from being destroyed in the amount of time it takes a fire truck to put your house fire out. The lock is mostly to keep kids or guests out.
The biggest security vulnerability in these “safes” is not the lock. It’s that a thief can simply pick it up and walk away with it.
All this. I feel like people are not understanding that this is not meant to be a secure safe or even a deterrent. It is a home safe designed to keep valuables minimally safe from an average fire, with a side benefit of also preventing a toddler from swallowing your pearls. That's it.
Well, many people bolt their safe to their house. That adds some time for the thief to abscond with it. But I don't think "not meant to be secure anyway" is an excuse for "designed with a trivial security flaw." I mean, am I still supposed to trust what the manufacturer says about its fire resistance?
I mean, to be fair this is the sort of safe you find in a hotel room where it's expected that the staff have access to it. It's decidedly _not_ a high-threat environment secure item.
As a kid on family vacation we had a hotel room with a safe. Turned out to be usable as a toy for my brother and me. One of us setting a code, the other trying to guess it. Until the one of us setting it failed to remeber it.
Turned out the hotel had no problem opening it at all.
Actually the problem here is that it's possible to reinit the PIN when the safe is still closed... so the trick to open the safe is to reinit the PIN then send the new PIN
The second problem is the possibility to open the PINpad from the outside with the safe closed.
It seem to me that those two problems could easily be fixed by the manufacturer... and I can't understand that they just didn't do it right upfront
The second one is very hard to avoid. The safe could of course have some form of tamper detection/response, but other than that, you can't put the PIN pad in a safe, so a determined attacker will be able to open it (using tools/force if necessary).
As another commenter explained, the only problem here is that the pin pad is doing any logic at all. It should only be sending key presses to the internal controller safely inside the safe body, there is no reason for it to do anything else
To be honest, I would go with a manual dial/lock/safe/etc. I don't trust most mass produced electronic physical security stuff (consumer grade or affordable stuff anyways). The non-electronic stuff is still vulnerable, but it's not this fast to attack.
You want your thing to be very safe? Forget the safe, throw it in the ocean encased in a cement block. Very secure, will not be retrieved. Note - I said ocean, not a lake.
Biometric and pin pad locks are quick. Less secure sure but quick.
If an attacker has the triangle of means (tools, knowledge), motive and opportunity (physical access) then any lock can be defeated if only because you can torch through the lock.
Security is always a tradeoff. "More" secure is not always the correct tradeoff.
Is Liberty really high-end? I would have thought they were mid-grade. I think most places have options for mechanical or electronic. Granted the electronics on those should be considerably better than the ones in the article, at least from a simple access perspective of not pulling the keypad off from the outside.
Indeed, theyre almost always "residential security containers" at best. Which means the manufacturer can't even be bothered to assert that it would take 5 minute to break in to with hand tools.
They are, but they are far more expensive than mainstream consumer gun "safes" and very heavy.
A buddy of mine's dad dealt in wholesale jewelry and my friend inherited one of his dad's safes (I don't recall the brand offhand). It's over 5,000 pounds, has a tempered glass relocking plate in the door to defeat drills, etc. It is far beyond what almost any gun owner would go for. If something were to somehow fire the relockers, it would be an expensive proposition to get into the safe afterwards.
All of those electronic locks are garbage. Last year I bought a safe with a S&G mechanical spin-dial lock. Those are GSA approved. S&G also has electronic spin-dial locks, but they do not seem to be available as an option on consumer/commercial safes.
I wonder how litigious Master Lock would be here. Even if they don't have a legal leg to stand on, a legal action for the sake of intimidation could still occur.
Is there any chance that this vulnerability was created intentionally for e.g. law enforcement access? One could imagine that the manufacturer would provide LEO a similar device and instructions.
Safes like this are more meant to be tamper-evident and hard to move than impervious, which is why you always want to bolt your safe down to something solid if you have one like this.
A warrant and a circular saw will get you through really any consumer safe in seconds so I highly doubt they would go through all that risk to make it slightly easier to access but maybe there's concern of damaging evidence with forced entry or something.
The nice thing about this is that it's still tamper-evident, despite being opened non-violently. The PIN suddenly changed, so the owner knows that someone messed with their safe. Whether they did so by picking the backup lock or by using technology doesn't matter, the safe was obviously breached.
The safe would've lost its purpose entirely if it was possible to open the lock without resetting the PIN. I'm sure there's a vulnerability in there that allows for that (after all, the microcontroller allows for opening the safe without entering the right code, a very basic mistake to make!) but this project doesn't entirely defeat the safe yet.
Law enforcement doesn’t need a vulnerability to open a safe. Once they have a warrant they can just call a locksmith to drill it open, etc. Any vulnerability would only by helping the locksmith or the owner of the safe, at that point.
